Smartphone Security

5 10 2011

by Shanief Webb

As of July 2011, studies have concluded  that 42% of Americans own smartphones. Of those smartphones, the most common platforms turn out to be Google’s Android operating system and Apple’s iOS. [1] With such a large, growing number of smartphone users, there is bound to be attackers seeking ways to exploit any vulnerabilities or threats to the that exist in the those platforms.  Pfleeger and Pfleeger might agree that smartphones attract attackers because they “often run [operating] systems with vulnerabilities and little monitoring or management” (Pfleeger, Pfleeger 9).2

Users tend to store lots of valuable information on their smartphones such as personal e-mail and phone contacts, calendar(s), mobile web history, etc. 3 Additionally, the phone’s hardware can provide valuable information as well. For example, GPS sensors in the phone can provide real-time location data, microphone can provide audio, built in camera can provide pictures and maybe video, and so on. This data is valuable to others because it can be used to spam your contacts (maybe even as an impersonation of you) and trick them into providing identifying information, financial information, to make phone calls on your behalf- the uses of these data are endless.

So, how can an attacker get access to this data and hardware? Since there are so many smartphone users, it’s convenient for the attacker to get them to come to him rather than the other way around. As an Android developer, I suggest the most feasible method to accomplish this goal is to publish a malicious mobile application (app) to an market that will distribute the app for you. To avoid suspicion, one might make an app that seems legitimate and useful, but in the background it performs malicious activity. Once the app is on a smartphone user’s device, it can access the data on the user’s handheld and send it to whatever destination the developer specifies. The developer mentioned in the Malware City post did this and was able to retrieve Android phone users’s personal data within a minute of running the app. 3

I was actually on a team that actually made a similar app (on the Android platform) for a class project. We considered publishing the application the Android marketplace, but decided not to because our intentions were only to see if we could perform the exploits on the vulnerable data, not to steal data from the general public. We also were concerned that we might have to face legal consequences in the event that our app was flagged for stealing users’ personal data.  If you’re interested, there is a video of our presentation of this app available on youtube: http://www.youtube.com/watch?v=Le-RX2jx4LQ

And so, as an extension of that project, I plan to further research what (known) vulnerabilities and how many of them exist on mobile platforms, particularly Android, iPhone, and Blackberry devices since they are the most popular.1 Then, I will study how they worsen/improve over time. If I can find the time, I may even implement my own security controls (Android service or application) to protect some of the vulnerabilities in the Android operating system from being exploited. I also intend to do some research on policies (if any exist) that govern the personal data stored on mobile devices.

 


2 Pfleeger, Charles P., and Pfleeger, Shari Lawrence. Security in Computing. 4th ed. New Jersey: Prentice Hall, 2007. Print.

3 http://www.malwarecity.com/blog/all-data-stored-on-your-smartphone-gone-in-60-seconds-1156.html

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: